chore(deps): bump bcrypt from 3.2.2 to 5.0.0 in /backend

[dependabot]

Bumps bcrypt from 3.2.2 to 5.0.0.

Changelog

Sourced from bcrypt's changelog.

5.0.0

• Bumped MSRV to 1.74.
• Added support for Python 3.14 and free-threaded Python 3.14.
• Added support for Windows on ARM.
• Passing hashpw a password longer than 72 bytes now raises a ValueError. Previously the password was silently truncated, following the behavior of the original OpenBSD bcrypt implementation.

4.3.0

• Dropped support for Python 3.7.
• We now support free-threaded Python 3.13.
• We now support PyPy 3.11.
• We now publish wheels for free-threaded Python 3.13, for PyPy 3.11 on manylinux, and for ARMv7l on manylinux.

4.2.1

• Bump Rust dependency versions - this should resolve crashes on Python 3.13 free-threaded builds.
• We no longer build manylinux wheels for PyPy 3.9.

4.2.0

• Bump Rust dependency versions
• Removed the BCRYPT_ALLOW_RUST_163 environment variable.

4.1.3

• Bump Rust dependency versions

4.1.2

• Publish both py37 and py39 wheels. This should resolve some errors relating to initializing a module multiple times per process.

4.1.1

• Fixed the type signature on the kdf method.
• Fixed packaging bug on Windows.
• Fixed incompatibility with passlib package detection assumptions.

... (truncated)

Commits

• 5060bce 5.0.0 release (#1078)
• e43f568 Bump actions/cache from 4.2.4 to 4.3.0 (#1077)
• fc9f680 Bump libc from 0.2.175 to 0.2.176 in /src/_bcrypt (#1075)
• 633f46f Add support for Python 3.14 (#1073)
• a2fefbb Remove pypy310 builds (#1074)
• f60707e Bump wasi from 0.14.5+wasi-0.2.4 to 0.14.7+wasi-0.2.4 in /src/_bcrypt (#1071)
• c790eed Bump unicode-ident from 1.0.18 to 1.0.19 in /src/_bcrypt (#1070)
• 122cbdc Bump target-lexicon from 0.13.2 to 0.13.3 in /src/_bcrypt (#1069)
• 2bd208d Bump wasi from 0.14.4+wasi-0.2.4 to 0.14.5+wasi-0.2.4 in /src/_bcrypt (#1068)
• e1aa9e8 remove poinless cargo cache paths from CI (#1067)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[davidamacey]

⚠️ Deferred from 0.4.0 release due to breaking change in bcrypt 5.0.0:

Passing hashpw a password longer than 72 bytes now raises a ValueError. Previously the password was silently truncated, following the behavior of the original OpenBSD bcrypt implementation.

This is a behavior-breaking change for any existing users with long passwords and for any new registrations with passwords >72 bytes. Before merging, we need to:

1. Add client-side and server-side password length validation at or below 72 bytes
2. Audit existing hashpw call sites in the auth code (backend/app/auth/direct_auth.py, backend/app/auth/password_policy.py, etc.)
3. Add tests that verify the new ValueError is caught and translated to a user-friendly error
4. Test with existing user accounts that may have been registered under the old silent-truncation behavior

Tracking for v0.4.1.